Search

Search for:

IT Support for IT Professionals

Third Tier's provides IT support for IT professionals. We help you resolve a problem or handle a project. We're the specialist or the extra set of eyes. Because we are IT Pros we don't spend time redoing what you've already done. We get right to work. Check out our Helpdesk and FAQ pages.

SignUp for SuperSecret News

ThirdTier receives classified security updates and can only share them with known people. Sign Up below. In addition you will also receive Zero Day alerts and other news from Third Tier.
Email Address
First Name
Last Name
Company Name
Address
Address 2
City
State
Zip
Country

The ability to encrypt email is a critical feature. So much information gets sent via email — corporate secrets like specifications, private content like pretty much anything from your accountant or lawyer, or maybe just something you’d like to keep between you and the recipient. Email encryption is a fact of life. Recently, Microsoft moved email encryption into Azure but instead of being called Office 365 email encryption, it’s now Azure Information Protection (AIP).

In doing so, they also simplified the process for users. Reading an encrypted message no longer requires the person receiving it to open an attachment. Instead, they will click on the link in the body of the email. And when a reply is made to the email, the original sender does not have to do anything to open that reply. It is decrypted for viewing automatically. If they send a reply it will again be encrypted automatically. Messages can be encrypted between internal users too. And they’ve even made the third-party authentication easier to use too.

However, while simplifying the email encryption process for users, they’ve added to the workload of administrators because you need to set up your email encryption again to use the new version.

What follows is a step-by-step guide for completely configuring or reconfiguring email encryption in your Office 365 tenant.

For previously configured tenants

I like to start from a clean slate, so for this reason, I’m going to recommend that you remove any encryption rules you previously created from Exchange. After that disable encryption, wait 30 minutes then reenable it. This will make sure that your tenant gets switched over to the new version.

To do that, go to the admin portal/ Settings/Services and add-ons. Click on Azure information protection and disable it. Don’t forget to turn it back on 30 minutes later.

For tenants not previously configured for email encryption

Go to the admin portal/ Settings/Services and add-ons. Click on Azure Information Protection and enable it. It should take effect immediately but you might want to wait 30 minutes just to be sure.

For tenants created after February 2018

Azure Information Protection should be enabled by default so you won’t need to turn it on. You can move straight into configuration.

Check that AIP is working

Before we try to configure anything, let’s take a moment to make sure that it’s working correctly. You’ll need PowerShell for all of the configurations from here on out. First you need to connect to your Exchange Online Service. Be sure to run PowerShell as an administrator then run the following commands.

We’re ready to configure

Now that we know that AIP is working, we are ready to configure it. There are several pieces to this. There’s creating the rule for when encryption gets applied to an email, allowing attachments to be unencrypted by the recipient, customizing the email, and optionally setting up a super-admin to decrypt messages and files encrypted by your staff. Leave your PowerShell session open until you’ve completed the entire process.

Create an Exchange rule

You need a mail rule to tell Exchange when you expect messages to be encrypted. The rule I suggest uses a keyword to trigger the encryption. In the example that follows, when the word securemail is present anywhere in the email, Exchange will encrypt the message.

Open the Exchange online administrator console.

Go to Mailflow/Rules.

Click the arrow next to the + sign and choose Add new Rule type Apply Office 365 Message Encryption and rights protection to messages.

Name the rule Encrypt on Demand or anything that you’ll remember.

In the Apply this rule if…box select The subject or body includes the word securemail (or any other word of your choosing but it will need to be a word that someone won’t type by accident).

In the Do the following…box select Apply Office 365 Message Encryption and rights protection to the message with and select the Encrypt template

Admin control for attachments

By default, attachments to your encrypted email are also encrypted and can’t be opened outside of your company. They say that there is an option to change this but I don’t think that your users will feel that way. It is very common that the reason for sending an encrypted message is because of the content of the attachment. Microsoft’s reasoning for not making this the default setting is that once decrypted the message is plainly available to the recipient to do with as they choose.

To allow the downloading of attachments without protection for Encrypt-only:

Set-IRMConfiguration -DecryptAttachmentFromPortal $true

Customize the appearance of the encrypted email

By default, the email message gives the recipient that phishy feeling, so you will want to customize the content to indicate that they email is legitimate. In addition, I recommend that anyone using encryption get in the habit of first sending a regular email letting them know that an encrypted email is about to follow.

Here I am simply sharing Microsoft’s instructions for these customizations. I’ve added a couple of tips to their chart and provided a sample.

Logo: We will likely have to make one up. I like to use GIMP. Any editor can be used. This is very small so often the real corporate logo cannot be used but instead just the name of the company would be appropriate.

When you get all done it should look something like this. In the sample below you can see where each of the text items is located in the message.

Setting up the super-admin

A super-admin is necessary to decrypt messages that anyone may have encrypted. Do note that it is also possible to encrypt files as well as email. Files in SharePoint and OneDrive can be stored encrypted at rest, and this super-admin will have decrypt control over those too.

This super-admin is a very powerful tool. You do not have to set them up before you need it. You can add the super-admin when needed and remove it when not needed. It would be more secure to do so. However, in a company where turnover is a regular occurrence, you might find that you need it more often than you don’t.

To set up your super-admin, run the following commands. Items in brackets are my comments and are not part of the command.

connect-aadrmservice [connects you to Azure AD. When you run this command you will be prompted to authenticate again. This is because you are changing services. Previously we were connected to Exchange Online, now we’re connecting to Azure AD]
enable-aadrmsuperuserfeature [enables the feature]
Get-AadrmSuperUser [shows you if there are any users already set up as a super admin]
get-aadrmsuperusergroup [shows you if there are any groups already set up as a super admin]
If there are any users already set up, verify that they should be there if not remove them using the remove-aadresuperuser -email <address> command or aadresuperusergroup if it’s a group you want to remove.
add-aadrmsuperuser -emailadress <email address> [adds a user as a super admin]

Finally, test email encryption with a real user

Now for the all-important testing phase. There’s plenty of room for error in everything that we’ve done above so don’t let this go without testing. Please find a friendly user in your company to test with.

Send an email with securemail in the subject line to your account. And reply. Make sure the email can be opened.

Send an email to a public email address such as Gmail or Yahoo. And reply. Make sure the email can be opened.

Send an email with an attachment and make sure that both internal and external users are able to open it.

It took a lot longer to write this and much longer to read it then it takes to implement. In my MSP practice, we are completing these tasks in under an hour including the customization piece that is the longest part of the whole configuration due to the logo customizations that it requires. But this time is an hour well spent. Email encryption will protect the information that needs protecting and make email a much better resource for communicating sensitive information.

_____________________________

About Third Tier

Open a ticket with us! Established in 2008, Third Tier only works for IT Professionals by providing them with access to advanced support services. No one can know it all these days, so we give IT pros a place to go to get the hands on support they need in areas they normally don’t work in or problems they’ve never encountered. We also work on projects, fix their accounting practices and do many, many migrations and other installations. Our staff covers a wide range of technologies.